Novell Netware File Recovery and Forensics. What is Netware? Novell Netware is a network operating...

Preview:

Citation preview

Novell Netware

File Recovery and Forensics

What is Netware?

• Novell Netware is a network operating system that works on LDAP principles to offer users a robust platform for hosting files printers and other network related services.

History of Netware

• Early design in 1983• Designed to host files to DOS workstations• First OS to use Network Drive Mapping to local

workstations • Propriety Designer of the IPX network interface • Originally manufactured by the SuperSet

Corporation bought by Novell in 1983 to support a Network OS for the hardware Novell was making at the time.

Netware Facts

Website: www.novell.com

Company/developer:

Novell, Inc.

Source model: Closed source

Latest stable release: 6.5 SP6 / November 6, 2006

Kernel type: Hybrid kernel

Default user interface: CLI

License: Proprietary

Working state: Current

Client / Server Interface

• With the introduction of Netware 5 Novell Offers its users and administrators a never before seen level of off server management. Meaning that the majority of all work can be done without directly accessing the server through Console1 or Novell’s imanager software

Who uses Netware?

Who Likes Netware?

Tony Does

Packet Encryption – How off Server administration works for Forensics• With Netware’s heavy inclusion of RSA standard

encryption all transmission from the server to the client (including web clients) is encrypted insuring secure communication and data continuity

File Recovery

Programs to Use:

- NWFiler (Novell File Utility)

- Kroll Ontrack for Netware

Why not Disk Editor

• Norton Disk Editor was designed for FAT Partitions, without further testing there's no evidence to support what disk editor will do to a NFS

Filer

• On Console or via Network

Salvaging Files

To Recover Files use the Salvage Deleted Files Option

To Recover Files from Directories that exist in the File system

To Recover Deleted Directories

Enter a Extension or leave as wildcard

Navigate to the Folder, Only deleted files and directories will appear in the file browser

MAC Information Confirmation

Recovered file is shown in the original directory

Filer Methodology

• Filer was originally intended to be a file browser for Netware administrators

• Filer can be used to recover files that have not been purged from the system (files are only purged when a administrator purges it using the “purge” option from the filer menu

When Files have been Purged

• Kroll On track File Recovery for Netware

• Must Be installed on Server – NLM Netware Loadable module

• Only accessed by the Server Console or RconsoleJ (Netware remote console with imanager)

•Use NetFile Option

Selecting a Volume File Tree

Supported Recovery Destinations

First Response

Tools to use:

• Novell Console 1

• Novell Netware Client

• Novell NWADMIN

• Novell Imanager

Items to Record

• Time

• IP / IPX Configuration

• Users Connected to the Server

• Server Running Processes

• MAC Times

• Console Commands

• Log Files

Time – Console

• To record the time from the system console simply execute the command “time”

Internet Protocol and IPX Configuration - Console

• From the server console execute the command “ipconfig”

Internet Protocol and IPX Configuration – Remote

• Open Console 1• Right Click on Server Object• Under the general – Identification Tab the

IP and IPX address are listed

Users connected to the server – Client variant

• Novell Send Message Dialog

To access the send message dialog left click on the N icon in the windows

taskbar, expand the NetWare utilities and click the send message to users

menu option 

                                                        

                                                       

Users Connected to the Server – imanager variant

• Launch imanager• Click the connections menu item

Server Running Processes - Console

  To establish processes or programs running on the Netware server, first the user should login to the GUI environment on the

server, the open the “remote console program” which simply provides a GUI version of the console, additionally it provides a

more organized view for the various console functions. To cycle through the running processes click the screens menu

option, this will illustrate the running programs, also if the examiner wishes to view the parameters in which the programs are running

simply click on the option under the screens command 

Server Running Processes - imanager

• Launch imanager • Choose the “screens”

command from the menu

• This will display all applications running on the server

MAC Times

• Map Volumes to local drives

• Use DOS command to view mac times

      

Console Commands

To view recent commands that have been accessed on the server, the GUI Console LOG file will be used, to access the file click on the Utilities and “console

log” item from the main menu

The accompanying window will show all commands executed on

the server

Log Files• Log’s are stored in the system volume

under the following path

• SYS: JAVA/NWGFX

• Must be logged in as admin to access this directory

The Lab: Setup

• Groups of 2 or 3

• Two computers connected to a switch

• One server, one investigative workstation

• Static Assigned IP addresses

• Server: 172.16.0.6, Workstation: 172.16.0.7 (255.255.0.0)

Computer 1 : Server

• Open the VMWARE image of the server

• Run the VMWARE image of the server

Computer 2: Investigative Machine

Option A Option B

Install the following: •Netware Client

•Console 1

Use the Vmware image

Accounts

Tree CSI1

Context: Admin

Server: Theserver

Username: admin

Password: tcpip

Recommended